Cons

Bottom Line

The highly configurable Emsisoft Anti-Malware earns very good scores from the labs, and it did very well in our hands-on malware blocking and malicious URL tests.

May 10, 2017Neil J. Rubenking

The first well-known malicious programs were computer viruses, and the products designed to thwart them got the name antivirus as a result. These days actual computer viruses are rare; other types of malware like spyware, trojans, and ransomware are much more common. Anti-malware would really be a better term, but use of the term antivirus is just too entrenched. Emsisoft recognizes that fact in the product name, Emsisoft Anti-Malware.

With the start of this year, Emsisoft switched away from the old scheme of releasing new, numbered versions every year or so. The product now gets a new, improved version every month, and the version number reflects that. The version reviewed here, 2017.4, was released in the fourth month of 2017.

Emsisoft's $39.95 per year list price is completely in line with that of its competition. Bitdefender, Kaspersky, Norton, and Webroot are among the many products costing roughly the same. At first glance, the $59.95 subscription price for McAfee AntiVirus Plus seems a bit steep, but that price gets you unlimited installations, not just one.

Four large panels dominate the program's main window: Protection, Scan, Quarantine, and Logs. Each panel offers information about the corresponding program areas, and clicking a panel gets you more information and configuration choices. The program displays a pleasing simplicity, with only the necessary controls and settings.

Decent Lab Results

Of the five independent antivirus testing labs I follow, Emsisoft participates with two. Its score in the Virus Bulletin RAP (Reactive And Proactive) test is very close to the current average, which is roughly 82 percent.

I follow four of the many tests reported by AV-Comparatives. A product that meets the minimum to pass one of these tests receives Standard certification, while those that do more than the minimum can earn Advanced or Advanced+ certification. Of the four tests, Emsisoft took three Advanced ratings and one Advanced+.

The calculation I use to aggregate lab scores yields 8.4 of 10 possible points for Emsisoft. That's good, but others have done quite a bit better, Bitdefender Antivirus Plus 2017 and Kaspersky in particular. All five labs include these two in their testing, and both managed an aggregate score of 9.8 points.

Scan Choices

The majority of antivirus products offer three kinds of scans. The quick scan looks for malware resident in memory and checks common locations for traces of malware. The full scan carefully examines your entire system for signs of malware. And the custom scan performs a specific subset of scanning operations, limits the scan to user-specified locations, or both.

Emsisoft's scan choices are slightly different. The Quick Scan looks just at active programs. If you choose Malware Scan, you get what many competitors would call a quick scan of memory and common malware hiding places. To get a full scan of the entire computer, you choose Custom Scan and select all disk drives.

A full scan of my standard, clean test system took 45 minutes, which is precisely average for recent programs. A second scan didn't run any faster. Some antivirus products take note of known, safe files during the first scan, omitting them from future scans as long as they're unchanged. A repeat scan with BullGuard took just 5 minutes, compared to 50 for the initial scan. And ESET NOD32 Antivirus 10 managed to finish the repeat scan in barely half a minute.

Effective Malware Blocking

The best time to head off a malware attack is before the nasty program ever launches. Some antivirus utilities check files for malware on any access, even the minimal access that occurs when Windows Explorer displays the file's data. Others wait to scan until the program is moved or changed. Still others don't run a scan until just before the program executes. Emsisoft lets you choose any of these three methods. By default, in the Balanced mode, it scans files when they're modified. In Thorough mode, it scans on every access. And in Fast mode it waits until just before the program launches.

To get Emsisoft's attention, I moved my collection of malware samples into a new folder. It quickly wiped out 79 percent of them. Rather than pop up multiple notifications, it stacked up all pending alerts in a single notification box. I found the placement of the notifications just a bit odd; they slide in from the middle of the screen's right side. I did find that you can tweak the notification system to slide from left or right, at top, bottom, or center. You can also control how long they stay visible.

I have a second set of samples that started off as copies of the first. For each of these, I changed the filename, added zeroes at the end to change the file size, and overwrote some non-executable bytes. When I copied these to a new location, Emsisoft missed 27 percent of those whose originals it killed on sight. Fortunately, simple, signature-based detection is just one of the many layers of protection Emsisoft brings to the party.

Indeed, when I launched the samples that survived the initial massacre, Emsisoft detected and blocked every single one. Some it flagged as PUPs, Potentially Unwanted Programs; I chose to quarantine these. It quarantined another as an unwanted toolbar, and quarantined others based on suspicious behavior. I did find that a few malware-related executable files made it onto the test system, which is why Emsisoft earned 9.4 points rather than a perfect 10. But 100 percent detection is quite good.

I change out my malware samples periodically, and this is only the second test I've run using the latest samples. The first was IObit Malware Fighter 5 Pro, which didn't do nearly as well as Emsisoft. Tests using the previous sample set aren't totally comparable. I will note, though, that when challenged with that previous sample set, Webroot SecureAnywhere AntiVirus, PC Matic, and Comodo detected 100 percent and scored 10 points.

To evaluate a product's protection against the very latest malware, I start with feed of malware-hosting URLs generously supplied by MRG-Effitas. I load the list into a test program and launch each URL, noting whether the antivirus blocks all access to the dangerous URL, deletes the malware download, or totally spaces out. Once I have 100 valid data points, the test ends.

Emsisoft blocked an impressive 94 percent of the malware downloads, roughly two thirds of them by preventing access to the URL. Most products replace the dangerous page in the browser with a warning. Emsisoft instead slides in a notification that it detected a known malware host, leaving the browser displaying an error message.

Avira Antivirus Pro edged out Emsisoft's detection rate, earning 95 percent. Norton has the top score at present, 98 percent. But Emsisoft did better than almost all the rest.

So-So Phishing Protection

The same Surf Protection component that helped Emsisoft succeed in the malicious URL blocking test also helps prevent users from falling for phishing scams. Phishing websites try to steal login credentials by posing as all kinds of secure websites, from bank sites to online gaming sites. If you log in to the fake site, you've given away access to your bank account, or your Level 10 Paladin.

To evaluate how well a program handles these fraudsters, I gather the newest examples I can find from fraud-reporting sites. I specifically try for those that are too new to have been analyzed and blacklisted, since those are the most dangerous. I go through the list, launching each in five browsers simultaneously. The product under test protects one browser, naturally, and long-time antiphishing champ Symantec Norton AntiVirus Basic shields another. The other three rely on the protection built into Chrome, Firefox, and Internet Explorer.

One critical feature that powers Norton's phishing protection is a heuristic analysis component that analyzed pages in real time for signs of fraud. It appears that Emsisoft relies solely on a blacklist, with no real-time component, and the results show it. Emsisoft came in 32 percentage points behind Norton's detection rate. It also lagged behind the built-in protection in two of the three browsers. On the plus side, this is a significant improvement since the last time I ran this test. That time Emsisoft lagged 61 percentage points behind Norton's.

There are a few products that have outscored Norton in this test. Bitdefender, Kaspersky Anti-Virus, and Webroot all edged out the champ; good for them!

Behavior Blocking and Ransomware

Emsisoft's behavior blocking component came into play during my malware blocking test. To explore it further, I tried installing a collection of older utilities, tools that dig into system properties in ways that might seem suspicious. The results were interesting.

For three of the utilities, Emsisoft slid out a notification of suspicious behavior, which changed after a short while once a query to the cloud revealed the program to be safe. However, the interruption for that query disabled a service essential to one of the programs.

Three other utilities received different treatment. Emsisoft displayed a big window with a yellow behavior alert banner, which looked very like its PUP warning. A single, simple action such as changing autorun settings was sufficient to trigger this warning. I'd prefer to see a full behavioral analysis, considering patterns of behavior rather than just individual behaviors. With a system like Emsisoft's, some users will block or quarantine innocuous programs, while others will stop taking the warnings seriously.

For another take on behavior-based blocking, I turned off real-time antivirus protection and launched a couple of ransomware samples. Emsisoft displayed a behavior alert warning for the first one, with a red banner and a warning about the malware's attempt to manipulate other processes. Just to see what would happen, I clicked away the warning, and the pair of less-severe warnings that followed. Emsisoft's regular malware-detection popup slid onscreen, stating that it quarantined "Behavior.CryptoMalware." Good catch!

For the second sample, Emsisoft reacted with a red-banner behavior alert warning that the program was "attempting to modify your documents in a suspicious manner." It never used the word ransomware, but I think any user would respond as I did, by clicking Quarantine. Doing so headed off the malware.

Emsisoft's behavior-based detection can indeed catch malicious behaviors, even ransomware behaviors, though it's not ransomware-specific. But the fact that it displays warnings for both good and bad programs dilutes it effectiveness.

Focused Protection

Emsisoft Anti-Malware focuses strongly on the single task of keeping your system free of malware. It doesn't pile on features like firewall or spam filtering. It doesn't expend energy on tangential tasks like scanning for vulnerabilities, wiping browsing traces, or blocking ads on web pages. If that's what you want, it can be a good choice. The airy user interface and minimalist configuration settings are icing on the cake.

However, you should also consider our several Editors' Choice antivirus utilities. Kaspersky Anti-Virus and Bitdefender Antivirus Plus routinely walk away with top scores in independent lab tests. Symantec Norton AntiVirus Basic gets good scores too, and useful bonuses include intrusion prevention, spam filtering, and password management. You won't find an antivirus tool smaller or lighter than Webroot SecureAnywhere AntiVirus, and its wholly behavior-based detection system handles even zero-day attacks. Finally, while McAfee AntiVirus Plus doesn't score quite as high as the rest, a subscription lets you protect every device you own.

More Inside PCMag.com

About the Author

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990, he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His "User to User" column supplied readers with tips and solutions on using DOS and Windows, his technical columns clarified fine points in programming and operating systems, and his utility articles (over forty of ... See Full Bio